Tuesday, August 31, 2010

For years I have been tracking an India-based spam operation which I'll call "Bindaas Spaces" (based on one of its primary domains). Very little information about this spam ring has been published online to date; most of the information you'll find comes from my reports on McAfee SiteAdvisor and Web of Trust. The organization has been spamming since October 2007 if not earlier. Their unsubscribe request pages are not functional, meaning once you've been added to their list, there's no way to opt out. Their primary domain registrar, Net 4 India, has completely ignored all spam and abuse reports that I have submitted.

I intend to update this blog post in the future whenever I discover new domains related to this spam ring. If you have been spammed by this group, please see the "How to Report Spam from This Organization" section below.

Affiliated Domains

Following is a list of all the domains I'm aware of that this organization has linked or advertised in their spam. I've included some relevant links to McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, and/or URLVoid reports for these domains. Many of the domains listed below are (or have previously been) classified as "Red" or "Yellow" by McAfee due to "suspicious behavior," potential security risks, spam, and/or excessive popups:

Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow because "[McAfee's] analysis found that this site may be promoted through spammy e-mail." - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also listed on SpamCop:

Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - currently listed as a Spam threat on Threat Log - also on Joe Wein's spam blacklist:

Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - also previously listed as Yellow for pop-ups - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:

mysnapfish .info (McAfee SiteAdvisor, Web of Trust, DNS-BH, Threat Log, URLVoid; note the unethical and deceptive use of HP trademark "Snapfish"; I reported this trademark violation and the domain was shut down, but it has since been registered by a different person/organization who now operates the site)

Currently listed as Red by McAfee: "McAfee TrustedSource web reputation analysis found potential security risks with this site. Use with extreme caution." - listed on DNS-BH as "malspam" - also currently listed as a Spam threat on Threat Log:

Currently listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution." - also currently listed as a Spam threat on Threat Log:

Currently listed as a Spam threat on Threat Log - currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":

Currently listed as a Spam threat on Threat Log - also formerly listed as Yellow by McAfee: "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":

Currently listed as Yellow by McAfee: "When we browsed this site we received several pop-ups." - also previously listed as Yellow because "McAfee TrustedSource web reputation analysis found potential suspicious behavior on this site which may pose a security risk. Use with caution.":

clubmahindra .com (McAfee SiteAdvisor, URLVoid; note that this domain currently has a Light Green rating on the community-operated Web of Trust site, which may indicate that a few people might feel that the site is legitimate in spite of having been affiliated with a spam ring)

Please report this spam to the domain registrar by forwarding unsolicited e-mails that either contain links to or are sent from these domains (or redirect to/through one of these domains) to the registrar's abuse address. The most common registrar for these domains is Net 4 India Limited, whose abuse addresses are abuse@net4.in, abuse@net4domains.com, and abuse@net4india.net. So far all of my reports to Net 4 India have been ignored. I have also begun including CERT-In (the Indian Computer Emergency Response Team, info@cert-in.org.in) in the recipients list to inform them about the spam problem and Net 4 India's lack of response, providing a link to this article for reference.

These spammers violate CAN-SPAM by sending unsolicited commercial e-mail that does not contain functional opt-out instructions, does not clearly state that it's an advertisement, and never contains a postal mailing address. United States residents who receive any junk mail in violation of the CAN-SPAM Act should forward the e-mail to spam@uce.gov.

If you receive spam that links to one of these domains through a bit.ly redirect URL, please forward the spam to abuse@bit.ly. Thankfully, bit.ly takes spam reports seriously and will often put up an interstitial warning page when users click on a spammed bit.ly URL. However, so far bit.ly hasn't shut down the spam group's bit.ly account; their account page with a list of several of their links can be found here: https://bit.ly/u/funnyjoke — note that a couple of their spammed links have gotten more than 100,000 clicks, and several others have had tens of thousands of clicks.

If you receive spam that links to one of these domains through a tiny.cc redirect URL, please e-mail tinylink@gmail.com and be sure to paste the offending tiny.cc links and a description of the spam in question. Be aware that since tiny.cc uses Gmail, forwarding spam to their address may result in your e-mail being delivered to their spam folder and automatically deleted after 1 month; previously I assumed that reports to tiny.cc were being ignored, but the site owner finally made contact with me on 11 January 2011 and removed all of the previously reported tiny.cc URLs.

Also, please add a comment to this post if you have been spammed by the Bindaas Spaces operation, and share any affiliated domains you've seen linked in their spam (don't link to them, just paste the domain in plain text).

About Me

the JoshMeister

the JoshMeister (Joshua Long) is a computer security researcher from Southern California. He has a Master of Information Technology degree concentrating in Internet Security, and he has also taken doctorate-level coursework studying Business Administration and Computer and Information Security.

For more than a decade, Josh has been reporting spam, phishing scams, malicious or infected sites, and undetected malware samples to help protect others online.

To contact Josh, simply leave a comment on this site; all comments are moderated, so you can leave a private message this way. For confidentiality, you may encrypt your message with Josh's PGP key.